Debian Security Advisory

DLA-2113-1 cloud-init -- LTS security update

Date Reported:
21 Feb 2020
Affected Packages:
Security database references:
In the Debian bugtracking system: Bug 951362, Bug 951363.
In Mitre's CVE dictionary: CVE-2020-8631, CVE-2020-8632.
More information:


In cloud-init, relies on Mersenne Twister for a random password, which makes it easier for attackers to predict passwords, because rand_str in cloudinit/ calls the random.choice function.

  • CVE-2020-8632

    In cloud-init, rand_user_password in cloudinit/config/ has a small default pwlen value, which makes it easier for attackers to guess passwords.

For Debian 8 Jessie, these problems have been fixed in version 0.7.6~bzr976-2+deb8u1.

We recommend that you upgrade your cloud-init packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: